Edgerouter x site to site vpn setup guide: complete step-by-step Edgerouter X site-to-site VPN configuration for secure networks
Edgerouter x site to site vpn setup involves creating an IPsec tunnel between two EdgeRouter devices and configuring static routes.
In this guide, you’ll get a practical, battle-tested approach to building a reliable site-to-site VPN with EdgeRouter X. We’ll cover planning, configuring, testing, and hardening a pair of EdgeRouter X devices, including both GUI-based steps and CLI commands you can copy-paste. You’ll learn how to handle dynamic IPs, route traffic between the two networks, and troubleshoot common issues. Plus, I’ll share security best practices and performance tips so your tunnel stays fast and safe.
If you want an extra layer of privacy during testing or optional protection for remote access, consider NordVPN affiliate . NordVPN’s offer is a handy add-on while you’re experimenting with VPN setups, but the core Edgerouter X site-to-site VPN steps below stand on their own for a solid enterprise-grade connection.
Useful resources un clickable text:
- EdgeRouter official documentation – https://help.ui.com/hc/en-us/categories/200400230-Ubiquiti-EdgeRouter
- IPsec VPN basics – https://en.wikipedia.org/wiki/Virtual_private_network
- Network design basics for VPNs – https://www.cisco.com/c/en/us/support/docs/ipsec-vpn-site-to-site-vpn/5179-what-is-vpn.html
- Ubiquiti Community discussions on EdgeRouter VPN – https://community.ui.com/
- General VPN security best practices – https://www.cyber.gov.au/acsc/view-all-content/publications/vpn-security-guide
Table of contents
- Understanding Edgerouter X site-to-site VPN setup
- Prerequisites and planning
- Design example and traffic flow
- Step-by-step setup GUI
- Step-by-step setup CLI
- Testing and verification
- Common issues and troubleshooting
- Security and performance considerations
- Maintenance and monitoring
- Frequently asked questions
Understanding Edgerouter X site-to-site VPN setup
A site-to-site VPN creates a secure tunnel between two distinct networks over the public internet. In an EdgeRouter X scenario, you’ll typically use IPsec to encrypt traffic between the two sites. The tunnel has two main parts:
- Phase 1 IKE: how peers authenticate and establish the tunnel encryption, hash, DH group, lifetime.
- Phase 2 IPsec: the actual protected traffic flow, including which subnets are allowed through the tunnel and which encryption/authentication algorithms are used.
Key concepts you’ll encounter:
- Local subnet: the LAN behind EdgeRouter A that you want to reach from EdgeRouter B.
- Remote subnet: the LAN behind EdgeRouter B that you want EdgeRouter A to reach.
- Pre-shared key PSK: a shared secret used to authenticate the VPN peers.
- NAT traversal NAT-T: helps IPsec work when either side is behind a NAT.
- Dead Peer Detection DPD: keeps the tunnel alive and detects dead peers.
Typical algorithms and settings you’ll see:
- Encryption: AES-256 or AES-128
- Integrity: SHA-256 or SHA-1 SHA-256 preferred
- DH group: 14 2048-bit or higher for Phase 1
- PFS Perfect Forward Secrecy for Phase 2: often Group 14 or 5
- IPsec mode: tunnel mode for site-to-site VPN
- NAT-T: usually enabled if either side sits behind a NAT
Prerequisites and planning
Before you touch the EdgeRouter X web UI or CLI, gather this information:
- Public IP addresses for both sites or dynamic DNS if you don’t have static IPs
- Local subnet at Site A for EdgeRouter A: e.g., 192.168.10.0/24
- Local subnet at Site B for EdgeRouter B: e.g., 192.168.20.0/24
- A strong pre-shared key at least 20+ random characters
- Which interface on each EdgeRouter is used for the WAN connection often eth0
- Desired traffic flow: which subnets should be reachable across the tunnel only specific subnets or full routes
Why this planning matters: Surf vpn chrome extension: How to Install, Use, and Maximize Privacy with Surf VPN in Chrome
- If you define the wrong local/remote subnets, you’ll see no traffic cross the tunnel or you’ll route the wrong traffic through the VPN.
- Dynamic IPs require a dynamic DNS DDNS setup so peers can locate each other reliably.
Security notes:
- Use a strong PSK and rotate it periodically.
- Use AES-256 if possible. SHA-256 is preferred for integrity.
- Enable NAT-T if you’re behind NAT at either site.
- Minimize exposed services on VPN endpoints. just allow VPN traffic through the firewall.
Design example and traffic flow
Design example:
- Site A LAN: 192.168.10.0/24
- Site B LAN: 192.168.20.0/24
- Site A WAN: 203.0.113.1
- Site B WAN: 198.51.100.1
- PSK: a long random string
- VPN clients if any are separate from the site-to-site tunnel and may use a separate remote access VPN not covered here
Traffic flow:
- Traffic from 192.168.10.0/24 destined for 192.168.20.0/24 is sent into the IPsec tunnel.
- The tunnel is established by IKE Phase 1 with the peer at 198.51.100.1 and Phase 2 with the specified local/remote subnets.
- When the tunnel is up, the firewall rules at both sites permit only VPN traffic from the VPN peers, ensuring the tunnel remains closed to the broader internet.
Tip: For reliability, consider a short fallback route if the VPN goes down. This helps local traffic failover gracefully or log the outage for quick triage.
Step-by-step setup GUI
Note: The EdgeRouter UI can vary slightly by firmware version. The steps below are a solid baseline that works in most recent EdgeOS releases. If an option isn’t visible, look under similar labels like “IPsec” or “VPN” or consult the latest UI docs. Disable edge secure network: how to turn off Edge Secure Network in Microsoft Edge and switch to a trusted VPN
- Prepare EdgeRouter A Site A
- Log in to EdgeRouter A’s web interface.
- Go to VPN > IPsec Site-to-Site.
- Add a new peer:
- Peer IP: Site B’s public IP e.g., 198.51.100.1 or dynamic DNS hostname
- Authentication: Pre-Shared Key
- Pre-Shared Key: enter your strong PSK
- Local Subnet: 192.168.10.0/24
- Remote Subnet: 192.168.20.0/24
- IKE Group: choose a secure option e.g., 14
- ESP Group Phase 2: AES-256 with SHA-256. PFS Group: 14
- NAT-T: enabled
- Enable: yes
- Save the peer configuration.
- Prepare EdgeRouter B Site B
- Log in to EdgeRouter B’s web interface.
- Peer IP: Site A’s public IP e.g., 203.0.113.1 or dynamic DNS hostname
- Pre-Shared Key: must match EdgeRouter A’s PSK
- Local Subnet: 192.168.20.0/24
- Remote Subnet: 192.168.10.0/24
- IKE Group: same as Site A
- ESP Group: same as Site A
- Create firewall rules to permit VPN traffic
- On both sites, create firewall rules to allow IPsec UDP 500, UDP 4500 for NAT-T, IPsec ESP 50/51 if your platform requires it.
- Ensure the rules are placed in the correct interface direction inbound/outbound and do not block the VPN traffic.
- Configure static routes
- On Site A, add a route for 192.168.20.0/24 via the VPN tunnel interface.
- On Site B, add a route for 192.168.10.0/24 via the VPN tunnel interface.
- This ensures traffic destined for the remote LAN is sent through the IPsec tunnel.
- Test the tunnel
- Force a VPN re-key or re-establish the tunnel there’s usually a “connect” or “reconnect” button.
- From a host on Site A 192.168.10.0/24, ping a host on Site B 192.168.20.0/24 and verify replies.
- Do the reverse test from Site B to Site A.
- Validate with real traffic
- Use traceroute/ping to confirm the path is through the VPN.
- Check latency and throughput across the tunnel to ensure it meets expectations for your use case.
- Save and back up the configuration
- After confirming the tunnel is stable, back up the EdgeRouter configuration on both sides.
- Document your PSK, subnets, and tunnel settings for future maintenance.
Step-by-step setup CLI
If you prefer the command line, here’s a representative set of EdgeOS CLI commands you can tailor to your network. Replace placeholders with your actual addresses, PSK, and subnets.
On EdgeRouter A Site A:
- configure
- set vpn ipsec ipsec-interfaces interface eth0
- set vpn ipsec site-to-site peer 198.51.100.1 authentication mode ‘psk’
- set vpn ipsec site-to-site peer 198.51.100.1 authentication pre-shared-secret ‘YOUR_PRESHARED_KEY’
- set vpn ipsec site-to-site peer 198.51.100.1 default-profile ‘default’
- set vpn ipsec site-to-site peer 198.51.100.1 ike-group ‘FAMILY_IKE’
- set vpn ipsec site-to-site peer 198.51.100.1 tunnel 1 local-subnet 192.168.10.0/24
- set vpn ipsec site-to-site peer 198.51.100.1 tunnel 1 remote-subnet 192.168.20.0/24
- set vpn ipsec site-to-site peer 198.51.100.1 local-address 203.0.113.1
- set vpn ipsec site-to-site peer 198.51.100.1 nat-networks ‘0.0.0.0/0’
- commit
- save
- exit
On EdgeRouter B Site B:
- set vpn ipsec site-to-site peer 203.0.113.1 authentication mode ‘psk’
- set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret ‘YOUR_PRESHARED_KEY’
- set vpn ipsec site-to-site peer 203.0.113.1 default-profile ‘default’
- set vpn ipsec site-to-site peer 203.0.113.1 ike-group ‘FAMILY_IKE’
- set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 local-subnet 192.168.20.0/24
- set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 remote-subnet 192.168.10.0/24
- set vpn ipsec site-to-site peer 203.0.113.1 local-address 198.51.100.1
Notes:
- The exact names for IKE groups, ESP groups, and tunnel number may vary by firmware version. Use identical values on both sides.
- If either site uses a dynamic IP, you’ll need to configure DDNS and reflect that in the peer IP.
- If you’re behind NAT on either end, NAT traversal should be enabled it’s typically on by default in EdgeOS.
Testing and verification
- Confirm the tunnel status in the EdgeRouter UI under VPN > IPsec or via the CLI by checking “show vpn ipsec sa” or the equivalent status command.
- Use ping to verify end-to-end connectivity: from Site A to Site B and vice versa.
- Check that traffic intended for the remote subnet is actually being routed through the VPN by inspecting routing tables:
- Look for routes to 192.168.20.0/24 via the VPN interface
- Ensure there are no conflicting routes that bypass the VPN
Performance and behavior checks: Edge vpn download for pc
- Verify that MTU is not being hit by large packets through the tunnel. if you notice fragmentation, adjust MSS/MTU on the hosts or VPN.
- If you see dropped packets or intermittent connectivity, inspect NAT-T status and ensure both ends support the chosen encryption and hash algorithms without negotiation failures.
Testing adjustments for dynamic IPs or remote networks
- If either site has a dynamic IP, ensure the DDNS hostname is up-to-date and the EdgeRouter peers reference the hostname if possible.
- If you can’t rely on always-on IPs, consider configuring a backup tunnel with a secondary peer or using a float IP approach if your hardware/environment supports it.
Security and performance considerations
- Use AES-256 with SHA-256 in both Phase 1 and Phase 2 where possible.
- Enable Perfect Forward Secrecy PFS for phase 2 to add an extra layer of security for each tunnel rekey.
- Use a reasonably short lifetime e.g., 3600 seconds for IKE and IPsec SA to ensure quicker recovery from any negotiation problems, but balance with performance.
- Regularly rotate PSKs and monitor tunnel health. Set up alerts if the tunnel goes down for a defined period.
- Keep your EdgeRouter firmware up to date to benefit from security fixes and performance improvements.
- Limit firewall exposure: strictly control what traffic can cross the VPN and what can reach the VPN peers from the public internet.
Maintenance and monitoring
- Periodically check VPN logs for unusual negotiation failures and ensure no repeated PSK mismatches.
- Monitor tunnel uptime and performance metrics latency, jitter, throughput and set up alerts if the tunnel becomes unstable.
- Maintain a clear changelog of VPN settings when you modify subnets, PSKs, or device firmware.
- Document IP addresses, subnets, and the exact EdgeRouter models involved so future admins can reproduce or adjust the setup quickly.
Frequently asked questions
What is a site-to-site VPN?
A site-to-site VPN connects two separate networks over the internet, creating a secure tunnel so devices on one network can talk to devices on the other as if they were on the same LAN.
Why choose IPsec for EdgeRouter X site-to-site VPN?
IPsec is widely supported, well understood, and offers strong encryption options. EdgeRouter devices have robust IPsec support in EdgeOS, making it a reliable choice for site-to-site VPNs.
Can I use a dynamic IP on one or both sides?
Yes. Use a Dynamic DNS DDNS hostname for the peer address and ensure the EdgeRouter config references the hostname rather than a fixed IP. You may need to implement a robust failover strategy or a secondary tunnel.
What subnets should I use for local and remote networks?
Choose subnets that won’t collide with each other or with other VPNs. For example, Site A: 192.168.10.0/24 and Site B: 192.168.20.0/24 are common choices in a lab or small business setup.
Should I enable NAT-T?
Yes, if either site is behind a NAT device. NAT-T ensures IPsec works through NAT and is a standard practice for site-to-site VPNs across consumer-grade internet connections. Does microsoft have vpn
What encryption and hash should I use?
AES-256 with SHA-256 is a common and secure combination. You can also use AES-128 if performance is a concern, but AES-256 is generally preferred for security.
How do I test a VPN tunnel?
Test by pinging hosts on the remote subnet from hosts on the local subnet. Use traceroute to validate the path, and check VPN status indicators in the EdgeRouter UI or CLI.
What could cause “No matching SPI” or “no matching IPsec SA” errors?
Mismatched IKE/ESP proposals, PSK mismatches, or misconfigured local/remote subnets. Double-check the peer IPs, PSK, and the Phase 1/2 settings on both sides.
How can I troubleshoot poor performance on the VPN tunnel?
Check MTU, enable proper compression settings only if supported, ensure both sides are not throttling, verify hardware acceleration, and confirm the tunnel is using the preferred encryption algorithms. Also review firewall rules that might be inadvertently filtering VPN traffic.
Can I run a VPN for both site-to-site and remote access on the same EdgeRouter X?
Yes, you can run a site-to-site tunnel alongside remote access VPN like a separate OpenVPN or L2TP/IPsec server on EdgeRouter X. Keep the configurations clearly separated to avoid conflicts and ensure firewall rules are properly scoped. X vpn microsoft edge in-depth guide to setup, performance, privacy, streaming, and Edge-compatible VPN options
How often should I rotate the pre-shared key?
Rotate when you suspect a compromise or as part of your regular security hygiene—e.g., every 6 to 12 months for sensitive deployments. For lower-risk setups, annual rotation is a reasonable default.
What happens if the remote site changes its public IP?
If you’re using a static IP, you’re safe. If dynamic, DDNS helps, but you’ll need to ensure the EdgeRouter’s peer is set to track the DDNS hostname or you set up a secondary path for rapid failover.
Is a firewall necessary on the VPN interfaces?
Yes. You should implement firewall rules to permit only IPsec traffic and the traffic you explicitly allow across the tunnel. Keep the tunnel ports restricted and monitor the logs for anomalies.
Do I need to disable NAT on the VPN interfaces?
Not usually. NAT is typically not applied to IPsec tunnel traffic, but ensure your firewall rules allow IPsec and related traffic. If NAT is interfering, re-check interface assignments and NAT rules.
How do I back up and restore the VPN configuration?
Back up the EdgeRouter configuration once the VPN is stable. Use the device’s backup/restore features in the UI or export the configuration to a file. Document the PSK and tunnel parameters in a safe location. Pure vpn edge extension
Are there better options than EdgeRouter X for site-to-site VPNs?
For simple IPsec site-to-site setups, EdgeRouter X is a solid, affordable option. For very large deployments or if you need integrated dynamic routing with easier management, you might explore higher-end EdgeRouter models or dedicated firewall/UTM devices, but EdgeRouter X remains a popular, capable choice for many small to mid-size networks.
Leave a Reply